VICTORY: State Department Decides Not to Classify “Cyber Products” as “Munitions”

This week, the U.S. Department of State’s Defense Trade Advisory Group (DTAG) met to decide whether to classify “cyber products” as munitions, placing them in the same export control regime as hand grenades and fighter planes. Thankfully, common sense won out and the DTAG recommended that “cyber products” not be added to the control list. EFF and Access Now filed a brief joint statement with the DTAG urging this outcome and we applaud the DTAG’s decision.

There were a number of problems with the proposal to place “cyber products” on the U.S. Munitions List, but most importantly, no one knows how “cyber products” would be defined. As we’ve long argued in other contexts, trying to draw definitions around “defensive” and “offensive” tools is essentially impossible and any vagueness would have significant chilling effects on the security community. In essence, we think that the threshold problem of defining which “cyber products” are subject to control is likely an insurmountable obstacle to effective regulation.

But beyond the definitional problem, we fundamentally disagree with the idea of classifying any computer security tools as weapons. Until the late 1990s, encryption itself was included on the U.S. Munitions List. Indeed, one of EFF’s flagship cases from that era was a constitutional challenge to that listing. We won, and cryptographic tools are no longer legally defined as “munitions” in the United States.

Export controls on software, as we told the DTAG, have in the past had serious unintended consequences. Previous export controls on software have resulted in widespread risk to all Internet users. For example, the inclusion of encryption technology on the Munitions List led to deployment of an “export grade” standard to avoid the export controls. As it turned out, that persistent “export grade” standard, even 20 years after encryption controls were lifted, left millions of users susceptible to the “FREAK” and “Logjam” attacks used to monitor and modify website browsing data.

Related Updates

When it comes to guns, nearly everyone has strong views. When it comes to Internet publication of 3D printed guns, those strong views can push courts and regulators into making hasty, dangerous legal precedents that will hurt the public's ability to discuss legal, important, and even urgent topics ranging from...

Today, the the Trump Administration announced the decertification of the Iranian nuclear deal agreed by the previous administration. It's the strongest sign of many showing that the U.S. government intends to take a new and more confrontational line against Iran.
But long before the decertification, tech companies were making...

Cisco custom-built the so-called “Great Firewall of China,” also known as the “Golden Shield.” This system enables the Chinese government to conduct Internet surveillance and censorship against its citizens. As if that weren’t bad enough, company documents also revealed that, as part of its marketing pitch to China and in...

“We think that trying to craft a regulatory definition that would capture offensive tools only while leaving defensive tools freely available is not possible,” Nate Cardozo, a staff attorney at the Electronic Frontier Foundation told The Hill. “We think it’s a fool’s errand to even try.”

“We think that trying to craft a regulatory definition that would capture offensive tools only while leaving defensive tools freely available is not possible,” Nate Cardozo, a staff attorney at the Electronic Frontier Foundation told The Hill. “We think it’s a fool’s errand to even try.”

Stanford, California—On Wednesday, October 21, at 12:45 pm, the Electronic Frontier Foundation (EFF) will urge a federal appeals court to order the U.S. government to disclose information about its role in facilitating exports of American-made surveillance tools to foreign nations. The hearing is part of a Freedom of Information Act...

EFF filed a Freedom of Information Act (FOIA) lawsuit against the U.S. Department of Commerce (DOC) in 2012 seeking export license applications for "surreptitious listening equipment" submitted since 2006. This category of regulated technology is used primarily for wiretapping and EFF filed the lawsuit after the DOC released just two...

Readers of these pages will be familiar with the debate going on between government officials and technologists around the world about law enforcement’s perceived need to access the content of any and all encrypted communications....

The Electronic Frontier Foundation, Symantec, and many other organizations are concerned about the effect of the new regulations on companies that use or provide penetration testing or network monitoring tools, as well as on security research in general.
"We think it's a terrible idea," said Cindy Cohn, executive director...